Brinztech Alert: Customer Data of Rappi Brazil on Sale

Dark Web News Analysis: Rappi Brazil Customer and Financial Data on Sale

A database allegedly belonging to Rappi Brazil, a major “super-app” providing services from food delivery to financial products, is being offered for sale on a hacker forum. The breach appears to target users of its financial services, including the Rappi credit card and RappiCarga, and contains highly sensitive national identification numbers. A compromise of a major e-commerce and fintech platform like Rappi is a critical security event. The leaked data provides a complete toolkit for identity theft and fraud, reportedly including:

• Customer PII and National ID: Full names, CPF (Cadastro de Pessoas Físicas – the Brazilian national taxpayer ID), email addresses, phone numbers, and physical addresses.
• Financial and Order Information: Details on products purchased, payment amounts, and invoice information.

Key Cybersecurity Insights

A data breach that combines financial activity with a national identifier like the CPF is a catastrophic event for the individuals affected, enabling a wide range of sophisticated crimes.

• Leak of CPF Numbers Enables High-Level Identity Theft: The CPF is a unique national identifier in Brazil, essential for almost all financial and official activities. Its exposure, combined with a person’s full name, contact details, and financial history, is a worst-case scenario. Criminals can use this to commit serious, hard-to-dispute identity theft, including opening fraudulent bank accounts, applying for loans, and committing tax fraud.
• A “Super-App” Breach Creates a Multi-Faceted Fraud Risk: Rappi is not just a food delivery service; it is a financial platform. The leaked data, which includes payment amounts and invoice information, allows criminals to understand a user’s spending habits. This enables them to craft highly convincing and personalized phishing scams related to their real financial activities, making the fraud attempts much more likely to succeed.
• A Major Violation of Brazil’s LGPD Data Protection Law: The compromise of sensitive PII and financial data of Brazilian citizens is a direct and serious violation of Brazil’s Lei Geral de Proteção de Dados (LGPD). Rappi faces the prospect of a thorough investigation by the Brazilian data protection authority (ANPD) and potentially massive fines for failing to protect its users’ data.

Critical Mitigation Strategies

Rappi must launch an urgent investigation to contain this breach, while its users, particularly those of its financial services, must be on maximum alert.

• For Rappi Brazil: Immediately Investigate and Notify Authorities: The company must launch an immediate and full-scale investigation to confirm the breach, identify the source, and assess the full scope. In compliance with Brazil’s LGPD, they must report the incident to the national data protection authority (ANPD) and cooperate with law enforcement.
• For Rappi Brazil: Secure Accounts and Enhance Monitoring: Rappi should immediately enforce stronger password policies and mandate Multi-Factor Authentication (MFA) for all its services, especially its financial products. It is also critical to immediately enhance internal monitoring to detect fraudulent activity on the affected customer accounts.
• For Rappi Brazil Customers: Be on Maximum Alert for Fraud: This is the most crucial advice for the victims. All users, especially of Rappi’s credit card and other financial services, must assume their identity is at high risk. They should closely monitor their bank accounts and credit reports for suspicious activity and be extremely wary of any unsolicited communication, even if it contains their real personal or order information.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. For general inquiries or to report this post, please email us: contact@brinztech.com